Attack Method:

Vulnerabilities:

Attack Motive:

Malware Type:

Malware/Campaign Name:

App Tiers Affected:

Client

Services

Access

TLS

DNS

Network

Gafgyt (also known as Bashlite) is one of the most common types of malware infecting IoT devices, and has been active since 2014. A new variant of this notorious malware continues to target small office and home office (SOHO) routers from well-known brands, including Huawei and Asus. Gafgyt’s core functionality remains the same, that is, attacking IoT devices with multiple hardcoded exploits in order to take control and harness their power for DDoS attacks. However, for this new campaign the Gafgyt author has introduced techniques designed to remove rival IoT malware.

This Gafgyt campaign targets 48 different malware variants in an attempt to spread further than previous iterations of the malware.

56% of the malware species on the kill list are known rival IoT botnets (thingbots).

Huawei HG532 and Asus routers are targeted in this new campaign through known vulnerabilities released in 2017 and 2018: CVE-2017-172151 and CVE-2018-15887.2

Stage 2: Kill Competing Bots

The most common way to keep a botnet active is to kill off other rival bots that have already infected target devices. This latest Gafgyt campaign includes a preconfigured target list of other active botnets, including some very well known IoT botnets, as well as some malware species novel to F5 Labs.

Of the 48 different malware variants targeted in Gafgyt’s kill list, 56% of them are known IoT bots. We are still investigating the other 46% that are unknown or obscure. Some of these are known IoT botnet creators that could have also named a bot after themselves, or they are AKAs of other known bots. Others are offensive names typical of the malware creator persona.

Figure 4: Known versus unknown malware in Gafgyt’s kill list.

This technique of competitive exclusion has been seen in other malware species, including the IoT botnet Mirai and the new crypto-miner Golang malware, which attempts to kill off rival crypto-miners in the fierce competition for scarce resources, in this case vulnerable devices.

Also included in Gafgyts’ kill list are targeted architectures, services, servers and bot processes.

Target Architectures:

440fp

armv4

armv5

armv6

armv7

i586

i686

m68k

mips

powerpc

ppc

sh4

sparc

superh

x86

Target services, servers and bot process:

apache2

bash

cron

ftp

irc

ntpd

openssh

pftp

sh

sshd

telnet

telnetd

tftp

wget

httpflood

lolnogtfo

stdflood

tcpflood

udpflood

Stage 3: DoS attack

Once Gafgyt infects a targeted IoT device, the malware initiates DDoS attacks against requested targets. In this campaign researchers noticed three different kinds of DDoS attacks:

The functions shown in Figure 5 show the DDoS attacks seen in Gafgyt campaign after compromising Huawei & Asus routers.

Figure 5: DDoS attack methods used by this iteration of Gafgyt.

The focus on vseattacks, which specifically target popular game servers, is particularly notable. Some of the games running on Valve Source Engine include Counter Strike, Team Fortress and Half-Life 2.3 The reason why game servers are a popular target for IoT botnets is due to the young age of many of these botnet creators. As we noted in the Hunt for IoT research series, script kiddies learn to build botnets from YouTube, then use their skills to DoS rival game servers as a way to sabotage or take revenge against other players.

Conclusion

This latest Gafgyt campaign shows that the malware is evolving and taking on techniques used by other malware authors. Those interested in building botnets don’t need to go far in order to find source code to create their own. Botnets for service are also common and easy to buy. They are advertised on a variety of platforms, including Instagram, and we recently wrote about the ease of compromising IoT devices, even for children.

Gafgyt, in particular, is a botnet that defenders should keep an eye on. Gafgyt’s campaigns are typically active for a long time, and it has continued to enhance its attack services and exploits for different devices. In order to stay in relevant in the IoT botnet world, it has expanded its list of rival bots, and removes them from targeted devices.

The Huawei routers being targeted by this variant/campaign are older routers. Researchers recommend replacing older routers to newer models, both for performance and security, and regularly updating newer routers to maximize protection. Most importantly, vendor default credentials should be disabled on all IoT systems (as Huawei recommended for CVE-2017-17215).

Security Controls

Enterprises and individuals should consider implementing the following security controls, depending on their specific circumstances (for a longer list of IoT hardening suggestions see the conclusion for the Hunt for IoT volume 4):

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Great! You should receive your first email shortly.

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.

Technical

Preventative

Disable remote management, restrict access to a management network, or place devices behind a firewall.

Leverage network address translation (NAT) at a minimum, if the devices will be used in a residence.

Change the vendor default creds and disable the default admin account if you can.

Continually update the devices with the latest firmware as it is released.

Use an intrusion detection system to catch known malware.

Administrative

Corrective

Review and adjust access controls as necessary.

Notify customers of malware detected on their systems during login, so they can take steps to clean their systems.

Implement a patch management system in order to keep systems current on patches.

Administrative

Preventative

Provide security awareness training to employees and customers.

About the author

Doron Voolf

Working at F5 for 5 years, Doron handles and analyzes cyber threat investigations for most of the major banking malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science.

Sara Boddy is a Senior Director overseeing F5 Labs and Communities. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years; prior to Demand Media, she held various roles in the information security community over 11 years at Network Computing Architects and Conjungi Networks.

Remi Cohen is a Threat Research Evangelist with F5 Labs. Prior to F5 she worked for a large national laboratory conducting vulnerability assessments, and research on current threats as well as an civilian analyst for the US Department of Defense. Her specialty areas of research include mobile vulnerabilities, Industrial Control Systems, and Eastern European threats. She is an associate of (ISC)2 by passing the CISSP exam and is certified in both COMPTIA Security+ and ECCouncil C|EH. She holds a Master’s degree from New Mexico State University in Industrial Engineering as well as Bachelor’s degrees in Computer Science and Government from Georgetown University.

Sander Vinberg is a Threat Research Evangelist for F5 Labs. He has worked in information security, geopolitical risk, and linguistic consulting. He holds a master’s degree from the University of Washington in Information Management, as well as bachelor’s degrees in History and African and African-American Studies from the University of Chicago.

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.

image/svg+xml

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.